Search
K
Links

How to create a VPN server with Microsoft Azure

Learn how to create a personal VPN server using Microsoft Azure and Meshnet.

Introduction

Microsoft Azure is a cloud computing platform that provides a range of options for people looking to host their services on the cloud. Azure's extensive features and benefits make it a great choice to host a VPN server.
With Microsoft Azure, you can easily create and manage various virtual machines (VMs). Its global network of data centers ensures fast and reliable access to your services from anywhere in the world. Additionally, Azure has a flexible pricing model, offering a free subscription and allowing you to pay only for the resources you use once the free trial expires.
By using Meshnet in tandem with Azure, you can turn a simple VM into a secure VPN server without any advanced configuration.
This guide showcases how you can make a VPN server from a VM hosted by Microsoft Azure using Meshnet’s traffic routing feature.
Note
Be aware that by setting up your own VPN server, you increase your online privacy but not to the same extent as when connecting to a regular VPN server provided by NordVPN, which follows a strict no-logs policy.

Before you begin

To follow this guide, you need an active Microsoft Azure account. You can sign up for free on the Azure website.

Deploy a virtual machine on Microsoft Azure

First, you need to create a VM on Azure. While this guide focuses on setting up an Ubuntu VM, Azure allows you to create Windows VMs as well.

Method 1: Creating a VM using Azure Portal

  1. 1.
    Log in to your Azure account.
  2. 2.
    From your Azure portal, click Virtual machines.
  3. 3.
    Click Create and select Azure virtual machine.
  4. 4.
    In the Instance details section, name your VM, select its region, and choose the operating system (for example, Ubuntu 22.04 LTS).
    Creating the VM by entering its name, selecting the region, and the OS image.
  5. 5.
    Under Administrator account, select SSH public key authentication or create a password and choose the name of the administrator user of the VM.
    Selecting the SSH public key authentication type and the username for the administrator account.
  6. 6.
    Click Review + create.
  7. 7.
    Click Create.
Note
If you chose the SSH key authentication type, you will receive a Generate new key pair message after clicking the Create button. Select the Download private key and create resource option to download the private key file.
Clicking 'Download private key and create resource'.

Method 2: Creating a VM using Azure CLI

Another method of managing Azure resources is the Azure Command-line interface (CLI). The Azure CLI allows you to create, deploy, and manage your Azure resources without using the internet browser. This method is highly beneficial for automation or server environments.

Install Azure CLI

To interact with Azure using CLI, you need to install the Azure CLI application on your device. Installation instructions for all compatible operating systems can be found on the Azure CLI documentation page.

Log in to Azure

Upon installing Azure CLI, log in to your Azure account by taking these steps:
  1. 1.
    Open PowerShell (on Windows) or Terminal (on macOS and Linux).
  2. 2.
    Run the following command to start the login process:
    az login
  3. 3.
    Open the generated URL in an internet browser.
  4. 4.
    Log in to your Azure account.
  5. 5.
    Authenticate using the code provided in your CLI window.

Create your resource group

Azure uses resource groups to manage your VMs and their related resources. To create a resource group for your VPN server:
Windows
macOS and Linux
  1. 1.
    Open PowerShell.
  2. 2.
    Define the environmental variables for your VM by running the following commands:
    $env:RESOURCE_GROUP_NAME="<groupName>"
    $env:LOCATION="<region>"
    $env:VM_NAME="<vmName>"
    $env:VM_IMAGE="<imageName>"
    $env:ADMIN_USERNAME="<username>"
    Where:
    • <groupName> is a custom name for your resource group.
    • <location> is the region where your VM will be located.
      • You can check region names with the az account list-locations -o table command.
    • <vmName> is a custom name for your VM.
    • <imageName> is the name of the operating system image for your VM.
    • <username> is the name of the user account for your VM. Example
      Creating environmental variables for the virtual machine in PowerShell.
  3. 3.
    Create the resource group with this command:
    az group create --name $env:RESOURCE_GROUP_NAME --location $env:LOCATION
Note
The environmental variables will be reset if you close the PowerShell window.
  1. 1.
    Open Terminal.
  2. 2.
    Define the environmental variables for your VM by running the following commands:
    export RESOURCE_GROUP_NAME=<groupName>
    export LOCATION=<region>
    export VM_NAME=<vmName>
    export VM_IMAGE=<imageName>
    export ADMIN_USERNAME=<user>
    Where:
    • <groupName> is a custom name for your resource group.
    • <location> is the region where your VM will be located.
      • You can check region names with the az account list-locations -o table command.
    • <vmName> is a custom name for your VM.
    • <imageName> is the name of the operating system image for your VM.
    • <username> is the name of the user account for your VM. Example
      Creating environmental variables for the virtual machine in Terminal.
  3. 3.
    Create the resource group with this command:
    az group create --name $RESOURCE_GROUP_NAME --location $LOCATION
Note
The environmental variables will be reset if you close the Terminal window.

Deploy the VM

With the environment variables defined and the resource group created, you can deploy your VM in Azure.
Windows
macOS and Linux
In PowerShell, execute the following command to create the virtual machine in Azure:
az vm create `
--resource-group $env:RESOURCE_GROUP_NAME `
--name $env:VM_NAME `
--image $env:VM_IMAGE `
--admin-username $env:ADMIN_USERNAME `
--generate-ssh-keys `
--public-ip-sku Standard
This command automatically generates an SSH key pair for your VM and places it in the default SSH directory (~/.ssh). Once the VM is created, you will see an output of the VM's information.
Information of the created virtual machine.
In Terminal, execute the following command to create the virtual machine in Azure:
az vm create \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--image $VM_IMAGE \
--admin-username $ADMIN_USERNAME \
--generate-ssh-keys \
--public-ip-sku Standard
This command automatically generates an SSH key pair for your VM and places it in the default SSH directory (~/.ssh). Once the VM is created, you will see an output of the VM's information.
Information of the created virtual machine.

Access the virtual machine

Once your VM is deployed, you can access it over SSH. The way to access the VM depends on which authentication method you chose while creating it.
SSH public key authentication
SSH password authentication

Changing permissions for the private key

To use the SSH key for authentication, you need to set the private key’s permissions to read-only.

Windows

  1. 1.
    Open PowerShell.
  2. 2.
    Run the following three commands to apply the permission change, substituting </path/to/private/key> with the path to the downloaded private key:
    icacls.exe </path/to/private/key> /reset
    icacls.exe </path/to/private/key> /grant:r "$($env:username):(r)"
    icacls.exe </path/to/private/key> /inheritance:r
    Example
    Running the given commands in PowerShell to change permissions for the SSH key file

macOS and Linux

  1. 1.
    Open Terminal.
  2. 2.
    Run the following command to apply the permission change, substituting </path/to/private/key> with the path to the downloaded private key:
    chmod 400 </path/to/private/key>
    Example
    chmod 400 /Users/ventura/.ssh/UbuntuVPNServer_key.pem

Connecting over SSH

  1. 1.
    Locate the public IP address of your VM.
    • You can find the public IP in the Overview section of the VM in your Azure Portal.
      Public IP address of the Azure VM.
    • If you created the VM using Azure CLI, you can run one of the following commands: For Windows in PowerShell:
      az vm show -d -g $env:RESOURCE_GROUP_NAME -n $env:VM_NAME --query publicIps -o tsv
      For macOS and Linux in Terminal:
      az vm show -d -g $RESOURCE_GROUP_NAME -n $VM_NAME --query publicIps -o tsv
  2. 2.
    Run the ssh -i </path/to/private/key> <username>@<server> command in PowerShell or Terminal, where:
    • </path/to/private/key> is the location of the downloaded SSH private key.
    • <username> is the name of the administrator user of the VM.
    • <server> is the VM’s public IP address.
      Example
      ssh -i C:\Users\secretmeerkat\.ssh\UbuntuVPNServer_key.pem [email protected]
  3. 3.
    Type in yes and press Enter to confirm the connection.
You should now be connected to your Azure VM.
  1. 1.
    Locate the public IP address of your VM. It can be found in the Overview section of the VM in your Azure Portal.
    Public IP address of the Azure VM.
  2. 2.
    Open Terminal (on Linux and macOS) or Command Prompt (on Windows).
  3. 3.
    Run the ssh <username>@<server> command, where:
    • <username> is the name of the administrator user of the VM.
    • <server> is the VM’s public IP address. Example
  4. 4.
    Enter your authentication password.
  5. 5.
    Type in yes and press Enter to confirm the connection.
You should now be connected to your Azure VM.

Install NordVPN on the virtual machine

Follow these steps to install NordVPN on your virtual server:
  1. 1.
    Download and install the NordVPN Linux client by running the command below.
    sh <(wget -qO - https://downloads.nordcdn.com/apps/linux/install.sh)
  2. 2.
    Log in to your NordVPN account.

Log in to NordVPN

You can log in to your NordVPN account without the use of a graphical user interface (GUI) in two ways:
  • By running the nordvpn login command with the --token flag
  • By running the nordvpn login command with the --callback flag
Instructions for both methods are outlined below.
Log in using a token
  1. 1.
    On any device, log in to your Nord Account dashboard and, under NordVPN Meshnet free, select View details.
    Clicking the 'View details' button under NordVPN Meshnet free.
  2. 2.
    Scroll down until you see Manual setup, and select Set up NordVPN manually.
    Clicking the 'Set up NordVPN manually' button.
  3. 3.
    Enter the verification code sent to your email address.
  4. 4.
    Under Access token, select Generate new token.
    Clicking 'Generate new token'
  5. 5.
    In the dialog that appears, choose either a token that expires in 30 days or one that never expires, and then select Generate token.
    Selecting the token expiration date.
  6. 6.
    Select Copy and close.
  7. 7.
    On your VM, run the nordvpn login --token <your_token> command, replacing <your_token> with the copied token. Example
    nordvpn login --token 3fe460cefb8dcf1478c92e45908cec9f9bdbadf7a456a6dfb35dc2c58ee39d5b
You should now see a welcome message.
Log in using a URL
  1. 1.
    Run the following command:
    nordvpn login
  2. 2.
    Open the provided link on any device in your browser.
  3. 3.
    Complete the login procedure.
  4. 4.
    Right-click the Continue button and select Copy link address.
  5. 5.
    Run the nordvpn login --callback "<URL>" command, replacing <URL> with the previously copied link address. Example
    nordvpn login --callback "nordvpn://login?action=login&exchange_token=MGFlY2E1NmE4YjM2NDM4NjUzN2VjOWIzYWM3ZTU3ZDliNDdiNzRjZTMwMjE5YjkzZTNhNTI3ZWZlOTIwMGJlOQ%3D%3D&status=done"
You should now see a welcome message.
Tip
To preserve your token when logging out of the NordVPN app, use the nordvpn logout --persist-token command. Otherwise, your token will be revoked.
Note
If you encounter the error message “Whoops! Permission denied accessing /run/nordvpn/nordvpnd.sock,” enter sudo usermod -aG nordvpn $USER. Then, reboot your instance and log back in.

Enable Meshnet

Upon logging in, you can enable Meshnet on Linux by typing this command:
nordvpn set meshnet on
To check your server’s Nord name and the Meshnet IP address, enter the following command:
nordvpn meshnet peer list
Example
Enabling Meshnet and checking the Nord name and Meshnet IP of the VM.
You will also see all of your Meshnet peer devices with their corresponding permissions.

Grant the traffic routing permission

To begin using the VPN server, you need to grant the traffic routing permission for each peer device that you want to have access to the server. Enable this permission from the server machine using the following command:
nordvpn meshnet peer routing allow <device>
Example
nordvpn meshnet peer routing allow secret.meerkat-everest.nord
For more information, see the Traffic routing permissions page.

Connect to your VPN server

With Meshnet enabled and the permissions granted, your peer devices should now be able to connect to the server. To connect, start routing traffic from a client device through the VM, which you can find in the list of your Meshnet peer devices.
Clicking 'Route all traffic'
For specific instructions, see the Routing traffic in Meshnet article.
Your IP address should now be the same as the virtual machine’s. This way, your real public IP address is protected, and the websites you visit will see the location of your VPN server instead of your actual device.
Checking the new IP address after connecting to the VPN server.
© 2023 Nord Security. All Rights Reserved.